On November 1st, 2024, Pedidos Ya, one of Argentina’s leading online food ordering platforms, was sanctioned by the Agency for Access to Public Information, Argentina’s Data Protection Authority.
The sanction resulted from a consumer complaint regarding unauthorized payments made with their credit card on the platform. The main breaches by the company include:
- Failure to provide an adequate response to the exercise of the right of access by the complainant, and
- Processing of personal data in disregard of the principles and guarantees established by the Personal Data Protection Law.
According to the Authority, the platform allowed credit cards of consumers to be linked to third-party user accounts without implementing a proper identity verification. Furthermore, the company failed to specifically identify the technical and organizational measures it applies to ensure the security and confidentiality of users’ personal data. Instead, it merely referred to the relevant section of its Privacy Policy.
The total fines imposed were approximately 120 USD at the current exchange rate.
Although fines in Argentina remain relatively low, it is encouraging to see the Authority addressing cases related to the security of financial data in online transactions. These cases impact not only the company and specific users involved, but also various stakeholders in the broader e-commerce ecosystem, as the confidentiality and security of such data are cornerstones for maintaining trust in the ecosystem.
Key Takeaways from the “Pedidos Ya” Case
Exercise of Rights. The lack of response, or an inadequate response, to the exercise of rights by consumers and users is one of the main reasons for sanctions by the Authority.
- Recommendations for Companies: Develop a clear and efficient response protocol to address consumer and user rights requests, and train teams on how to handle these requests effectively.
Insufficiency of Settlements with Consumers. Many claims related to personal data protection stem from users’ financial grievances (e.g., disputing unauthorized loans or charges). Companies often settle such claims by paying compensation to the consumer. In this case, although Pedidos Ya reported having settled an agreement with the consumer in court, the Authority emphasized that this did not preclude the imposition of fines for non-compliance with data protection legislation.
- Recommendations for Companies: Implement robust user identity validation processes, adhering to the highest industry standards and applicable regulations, to minimize unauthorized charges.
This issue was highlighted by the Authority itself, which stated that the company must adopt: “a procedure to validate user identity and verify the personal data provided by individuals attempting to create an account on the platform.”
Proactive and Demonstrable Accountability
The analysis of the sanction imposed by the Authority highlights the importance of accountability. This principle, included in the 2023 Draft Personal Data Protection Bill of Argentina and mentioned in some guidelines of the Authority, requires companies not only to comply with their personal data protection obligations but also to demonstrate their effective implementation.
In other words, the Authority does not accept as a defense just copy-pasting the Privacy Policy. Instead, documented evidence of effective measures taken to protect personal data is required. This approach aligns with various regulations, such as the European Union’s General Data Protection Regulation and Brazil’s General Data Protection Law.
- Recommendations for Companies: When implementing user identity validation processes, companies must ensure not only compliance with regulations and the highest industry standards but also develop appropriate and auditable protocols to demonstrate their implementation.
The decision of the Authority presents an opportunity for Argentinean companies processing consumer payments via credit cards and other payment methods to review their identity validation mechanisms and adopt additional measures to safeguard the confidentiality and security of consumer personal data. This will reduce the risk of sanctions by the Authority, while protecting the reputation of the company and serve as a valuable tool for building consumer trust.
If your company or organization requires advice on privacy and personal data protection, feel free to contact us at info@lermanszlak.com.
Gabriela Szlak
T° 79 F° 516 CPACF
________________________________________________________
1- This is because Argentina’s current law sets maximum fine amounts in fixed values denominated in Argentine pesos, which have remained unchanged since the law’s enactment in 2001. Article 21, Law 25,326. Available in Spanish at: https://servicios.infoleg.gob.ar/infolegInternet/anexos/60000-64999/64790/norma.htm.
2- Available at: https://www.argentina.gob.ar/sites/default/files/mensajeyproyecto_leypdp2023.pdf. It lost parliamentary status on 01/01/2025.
3- For instance, Guide for Public and Private Entities on Transparency and Personal Data Protection for Responsible Artificial Intelligence, available in Spanish at: https://www.argentina.gob.ar/sites/default/files/aaip-argentina-guia_para_usar_la_ia_de_manera_responsable.pdf; or Data Protection Impact Assessment Guide, available in Spanish at: https://www.argentina.gob.ar/noticias/argentina-y-uruguay-lanzan-la-guia-evaluacion-de-impacto-en-la-proteccion-de-datos.
